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1. Introductions and apologies 


1.1. 


Introductions were made as this meeting was the first 


meeting for the Director of Finance, Angela Donaldson, the 
new external audit members from Deloitte, Laura Charmant 


1.2. 


1.3. 


and Michelle Hopton, and Curtis Hodgson from NAO. Asam 
Malik, Nathaniel Burfield-Wallis and Anton Yunussov from 
Mazars joined the meeting to present the cyber security audit 
report. 


Lee Parfitt from Ofcom also joined the meetings as an 
observer as part of the Next Gen NEDs Programme. 


Apologies were received from John Edwards who was not 
required to attend. 


2, Declaration of interests 


2.i 


No declarations were made. 


3. Matters arising from the previous meeting 


3.1 


The minutes from the previous meeting were agreed. There 
were no outstanding actions. 


4. Deputy Chief Executive Officer’s update 


4.1 


4.2 


Paul Arnold provided an update on key activities of the ICO 
since the last meeting of the Audit Committee, primarily 
focusing on the completion of Elizabeth Denham’s term as 
Information Commissioner, the transition to the new 
Information Commissioner, and the first few days of John 
Edwards’ term as Information Commissioner. 


Ailsa Beaton asked whether John Edwards had started to 
consider any plans, objectives or organisational changes for 
the future, as it is important for the Audit Committee to 
continue to be across the risks and concerns that may arise 
from those decisions. Paul Arnold confirmed that John 
Edwards will be giving this consideration and this will be 
shared with the Committee to ensure it can fulfil its assurance 
and risk role. 


5. Internal Audit 


5.1 


At the recommendation of Mazars the Committee agreed that 
the audit of procurement and contract management would be 
moved to the 2022/23 financial year to allow the work 
currently being carried out to review these areas by the ICO 
to be implemented prior to the audit. 


5.2 Mazars confirmed that moving this audit to the next financial 
year would not have an impact on their ability to provide an 
internal audit opinion for 2021/22. 


5.3 The Committee discussed the outcomes of the Cyber Security 
audit and agreed to arrange an interim meeting in February to 
review progress against the recommendations. It was further 
agreed that, due to security reasons, it was not appropriate to 
publish the audit report. 


Action: Corporate Governance to arrange an interim 
meeting to discuss the progress of the cyber security 
audit actions. 


5.4 The Committee discussed the remaining audit reports and 
Mazars confirmed that the Core Financial Controls audit had 
been very close to achieving an outcome of substantial 
assurance. 


5.5 The improvements carried out in the Stakeholder 
Management area since the previous audit in 2020 were also 
highlighted. 


6. Compliance with Government Functional Standards 


6.1 Louise Byers presented the report outlining the ICO’s 
compliance with Government’s functional standards. 


6.2 It was confirmed that the Planning and Performance Team will 
be ensuring that any actions that are required to comply with 
the standards will be included in Directorate business plans 
going forward. 


6.3 The Committee discussed whether compliance with the 
functional standards would be included in future audits. 
Mazars confirmed that there are a variety of approaches 
emerging. After discussions with Government Internal Audit 
Agency, the recommended approach will be about mapping 
the assurance using the three lines model and being clear on 
the assurance from that process. 


6.4 Louise Byers confirmed that some of these areas are still 
being developed and will be overseen by the Risk and 
Governance Board. However, the existing work provides 
assurance on our current compliance. 


7. Business Continuity Strategy Statement — annual review 


Fel 


7.2 


laa 


7.4 


Joanne Butler presented the report providing assurance to the 
Committee on the development of the Business Continuity 
Management practices. She confirmed that updates have been 
made to corporate Business Continuity Plan and we are 
currently in the process of reviewing the existing incident 
response plans to maximise our level of preparedness. 


Department Heads were also reviewing the department level 
Business Continuity Plans in the context of the current COVID- 
19 situation. 


Additional resource in a Risk and Business Continuity Manager 
is currently being recruited to help progress this area of work. 
This role would include planning and facilitating desk top 
incident response exercises. 


Joanne Butler that she had recently met with the Cyber, IT 
and Comms teams to discuss the incident response plans and 
playbooks. These responses would include some pre-prepared 
statements to be used in the event of an incident. 


The Committee discussed the involvement of Management 
Board in business continuity exercises to ensure that 
members are aware of their role and the ICO’s approach in 
the event of an incident. 


8. Risk Management Policy 


8.1 


8.2 


8.3 


Joanne Butler presented the report providing assurance to the 
Committee on the development of the ICO’s Risk Management 
Policy. 


It had previously been agreed that an in-depth review of the 
policy would be carried out every 3 years, with the next of 
these reviews due next year. Therefore there were only minor 
amendments this year, primarily to reflect organisational 
change. 


The annual review of the Risk Appetite Statement will be 
presented to Management Board Management Board for 
approval in March. The Committee requested that that an 
introduction to the paper should be provided to explain to 
Management Board their ownership of the risk appetite, why it 
is so important and how it influences the organisation’s 
activities. 


9. Corporate Risk Review Outcomes 


9.1 


9.2 


9.3 


9.4 


Louise Byers presented the report outlining the key outcomes 
in the recent corporate risk reviews which focused on the risk 
ratings and ensuring that the mitigating actions had a 
material impact on the risk scores. 


The Committee discussed the potential for staff absences over 
the next few months and the impact of this on capacity risks. 
Louise Byers confirmed that we are currently scenario 
planning in the event of an uptake in staff absences due to 
COVID. We are monitoring COVID absences and reviewing 
the business continuity plan to ensure that our understanding 
of the priority areas to inform work that needs to be carried 
out remained accurate, should there be large areas of absence 
due to sickness or home schooling. 


Jayne Scott highlighted that it would be useful to receive more 
information on target scores and the pathway to achieving the 
target scores. 


The Committee agreed with the proposal to split Risk 4 
Capacity and Capability into two risks. 


Action: Corporate Governance to arrange for a deep 
dive into the pathway to achieving the target scores for 
risks at a future meeting. 


10. Finance 


10.1 


10.2 


10.3 


Income & Expenditure 


Angela Donaldson provided an update on the Management 
Accounts and confirmed that we are on track for fee income 
and on budget. Year to date there is underspend and a Q3 
budget review will be presented to the Resources Board in 
January to inform funding of business plans for 2022/23, 
which would be completed in Q4. 


Changes to accounting standards 


Angela Donaldson presented the report highlighting the 
relevant changes to accounting standards in line with the 
guidance from International Financial Reporting Interpretation 
Committee. 


The Committee discussed possible issues that may arise from 
the changes to accounting standards relating to fixed assets 


which were capitalised in prior years and the necessary 
adjustments that may be required. 


10.4 Ailsa Beaton confirmed that the Committee is supportive of 
the planned approach of the work being carried out in 
advance of the end of financial year. 


Single Tender Contract Awards 


10.5 It was confirmed that no single tender contracts were 
awarded during the period since the last report. 


11. External Audit Plan 2021/22 


11.1 Michelle Hopton confirmed that this is a high-level plan. They 
are not expecting fundamental changes to the plan and 
timetable and dates for the final audit have been agreed. 


11.2 Once the plan has been finalised it will be circulated to the 
Committee prior to the next ARC meeting. 


12. Annual Report Timetable 


12.1 Louise Byers presented the high-level timetable for production 
of the ICO’s 2021/22 Annual Report and Financial Statements 
and confirmed that we will continue to follow the successful 
timetable and approach from last year. 


12.2 It was confirmed that the timetable is achievable to ensure 
that we will be in position to lay the annual report on time. 
Ailsa Beaton highlighted the role of the Independent Audit 
Committee member in supporting the Finance Team in 
developing the accounts. 


Action: Corporate Governance and Finance Team to 
arrange a pre-meet with Jayne Scott to review the 
annual accounts. 


13. Outstanding audit recommendations 


13.1 Chris Braithwaite confirmed that Mazars will be commencing 
the follow up audit next week. 


13.2 There is one late action which is close to completion and was 
delayed due to staff sickness. 


13.3 It was highlighted that there are a number of actions on the 
audit reports considered at the meeting today that have 
actions due for completion by March 2022. These are already 


being monitored, however, given the number of them, we 
may need to schedule some additional follow up time with 
Mazars to validate them in early April. 


14. Security Report 


14.1 Louise Byers presented the quarterly Security Report and 
confirmed that there has been an increase in incidents 
compared to the same period last year. One incident was 
assessed as medium severity and it was confirmed that 
actions have already been put in place to mitigate this risk. 


15. Fraud and whistleblowing report 
15.1 The Committee noted the report. 
16. Any other business 


16.1 There were no issues raised. 


